The flaw exists in the Theme My Login WordPress plugin, where missing authorization checks allow an attacker to exploit incorrectly configured access control levels. Because the plugin does not enforce proper permissions on certain endpoints, an adversary can call functions or view data normally reserved for privileged users, potentially revealing sensitive information or modifying site settings. This missing authorization can effectively grant unauthorized use of protected actions within the WordPress site.

All installations of the Jeff Farthing Theme My Login plugin running version 7.1.12 or earlier are affected. Users of the plugin on any WordPress site that have not upgraded beyond 7.1.12 are potentially exposed.

The vulnerability carries a CVSS score of 6.5, indicating moderate severity. Its EPSS score of <1 % shows a very low likelihood of exploitation, and the vulnerability is not listed in the CISA KEV catalog. Because the plugin is web‑accessible, the likely attack vector is remote via HTTP. An attacker can typically trigger the flaw by issuing HTTP requests to the plugin’s endpoints without needing privileged credentials, but practical exploitation requires the plugin to be installed and configured. As no public exploits are known and the exploitation probability is low, the overall risk is moderate; however, applying the patch remains the most effective defense.